What’s the vulnerability?
Spectre and Meltdown represent a class of vulnerabilities affecting modern computer processors utilizing Intel’s CPU architecture. The vulnerabilities affect the majority of modern microprocessors, and allow an attacker with the ability to execute code on an affected system to randomly read memory locations for other running applications. Such data may include passwords, private keys, message contents, and more.
What can our customers do?
Shared SaaS: The VMware AirWatch SaaS Service team is currently evaluating, identifying, and patching affected systems in our SaaS environments related to vulnerabilities described in CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown).
Dedicated SaaS: In the event VMware AirWatch must perform maintenance that will affect our service availability to our SaaS dedicated customer environments, AirWatch will work with you to determine suitable scheduling of these activities.
On-Premise: On-Premise environments managed by customers should be remediated in accordance with the guidance document provided by your operating system vendor(s). VMware AirWatch is in the process of evaluating our shipped products to determine whether patching is necessary. At this time, VMware AirWatch has not identified any AirWatch products requiring software patches.
Mobile Applications: VMware AirWatch is aware of reports that these vulnerabilities have been shown to affect common browser frameworks such as Chromium and WebKit. VMware AirWatch mobile applications such as VMware Browser do not ship copies of these libraries, but instead rely on the versions of these libraries provided by the underlying operating system (ex: Android and iOS). Therefore, VMware AirWatch mobile applications take advantage of the mitigations already shipped by OEM vendors. At this time, VMware AirWatch has not identified any necessary application changes or mitigations beyond those provided by the OEM vendor. Customers should continue to monitor vendors for updates to device platforms and libraries.
Make sure to subscribe to this knowledge base article for the latest information as it becomes available. In addition, sign up for the VMware Security Announcements mailing list to receive new and updated VMware Security Advisories relating to VMware products.
- FAQ: CVE-2017-5753, CVE-2017-5715 (Spectre), and CVE-2017-5754 (Meltdown)
- VMware Security & Compliance Blog
- VMSA-2018-0002: VMware ESXi, Workstation and Fusion updated address side-channel analysis due to speculative execution
- VMSA-2018-0003: vRealize Operations for Horizon, vRealize Operations for Published Applications, Workstation, Horizon View Client and Tools updates resolve multiple security vulnerabilities
- VMware Virtual Appliances and CVE-2017-5753, CVE-2017-5715 (Spectre), CVE-2017-5754 (Meltdown) (52264)
Support Contact Information
The AirWatch Team